b'March 30, 2007\n\nALEXANDER E. LAZAROFF\nCHIEF POSTAL INSPECTOR\n\nJERRY D. LANE\nVICE PRESIDENT, CAPITAL METRO AREA\n\nGUY J. COTTRELL\nINSPECTOR IN CHARGE, WASHINGTON DIVISION\n\nKEITH A. FIXEL\nINSPECTOR IN CHARGE, CHARLOTTE DIVISION\n\n\nSUBJECT: Audit Report \xe2\x80\x93 Postal Service Security Controls and Processes for the\n         Capital Metro Area (Report Number SA-AR-07-002)\n\nThis report presents the results of our self-initiated audit of the U.S. Postal Service\xe2\x80\x99s\nsecurity controls and processes for the Capital Metro Area (Project Number\n06YG034SA000). Our objective was to determine whether the Postal Service and\nPostal Inspection Service had sufficient controls and processes in place to efficiently\nand effectively protect employees, customers, the mail, and critical assets of the Postal\nService. We will issue subsequent reports on our audits in other postal areas. We also\nplan to review Postal Inspection Service security operations, including security\nassessment tools the Postal Service and the Postal Inspection Service use.\n\nThe Postal Service and the Postal Inspection Service have opportunities to improve\nsecurity controls and processes to more effectively and efficiently protect employees,\ncustomers, the mail, and critical assets. For example, responsible security personnel\ndid not always conduct Facility Security Surveys accurately or annually as required. We\nmade five recommendations to management at both the Postal Inspection Service and\nthe Postal Service to improve security controls and processes to enhance employee\nawareness, accountability, and overall collaboration.\n\nManagement agreed with recommendations 1 through 4 and their corrective actions,\ntaken or planned, are responsive to our recommendations and should correct the issues\nidentified in the findings.\n\x0cManagement partially agreed with recommendation 5 to develop appropriate\nperformance measures for physical security to assess the achievement of security goals\nand incorporate them into performance plans for area-, district-, and field-level security\npersonnel. Management stated they recognized the need for program evaluation and\nhave established program standards to address performance. However, the Postal\nService\xe2\x80\x99s current Pay for Performance structure only permits security performance\nmeasures for the Area Security Coordinator and not for ad hoc security positions at the\ndistrict- and field-levels.\n\nManagement\xe2\x80\x99s comments and corrective actions, taken or planned, are partially\nresponsive to recommendation 5. We acknowledge there may be limits in assigning\ngoals and objectives in the Postal Service\xe2\x80\x99s current Pay for Performance structure.\nHowever, these limitations should not be a complete barrier to establishing individual\nperformance measures for security personnel. Management should seek alternative\nmethods to establishing individual security performance measures and accountability for\nresponsible district- and field-level security personnel. We do not plan to pursue\nrecommendation 5 through the formal audit resolution process. Management\xe2\x80\x99s\ncomments and our evaluation of these comments are included in the report.\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers all\nrecommendations significant, and therefore requires OIG concurrence before closure.\nConsequently, the OIG requests written confirmation when corrective actions are\ncompleted. These recommendations should not be closed in the follow-up tracking\nsystem until the OIG provides written confirmation the recommendations can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff during the audit. If\nyou have any questions or need additional information, please contact Andrea L.\nDeadwyler, Director, Inspection Service and Facilities, or me at (703) 248-2100.\n E-Signed by Tammy Whitcomb\nERIFY authenticity with ApproveI\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Support Operations\n\nAttachments\n\ncc: Lawrence Katz\n    Juliana Nedd\n    Orin M. Wilson\n    Michele L. Culp\n    Deborah A. Kendall\n\x0cPostal Service Security Controls and                                     SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                    TABLE OF CONTENTS\n Executive Summary                                                                       i\n\n Part I\n\n Introduction                                                                            1\n\n     Background                                                                         1\n     Objective, Scope, and Methodology                                                  2\n     Prior Audit Coverage                                                               4\n\n Part II\n\n Audit Results                                                                           5\n\n     Opportunities Exist to Improve Security Controls and Processes                      5\n\n      Facility Security Surveys                                                         5\n       Recommendations                                                                  6\n       Management\xe2\x80\x99s Comments                                                            7\n       Evaluation of Management\xe2\x80\x99s Comments                                              7\n\n      Corrective Action on Security Deficiencies and Follow-up Reviews                  8\n       Recommendation                                                                   9\n       Management\xe2\x80\x99s Comments                                                            9\n       Evaluation of Management\xe2\x80\x99s Comments                                              9\n\n      Training                                                                           9\n       Recommendation                                                                   11\n       Management\xe2\x80\x99s comments                                                            11\n       Evaluation of Management\xe2\x80\x99s Comments                                              11\n\n      Performance Measures                                                              11\n       Recommendation                                                                   12\n       Management\xe2\x80\x99s comments                                                            12\n       Evaluation of Management\xe2\x80\x99s Comments                                              13\n\n Appendix A. Capital Metro Area Facilities                                              14\n\n Appendix B. Status of Facility Security Surveys                                        16\n\n Appendix C. Management\xe2\x80\x99s Comments                                                      18\n\x0cPostal Service Security Controls and                                          SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                    EXECUTIVE SUMMARY\n Introduction                   This report presents the results of our self-initiated audit of\n                                the U.S. Postal Service\xe2\x80\x99s security controls and processes.\n                                Our objective was to determine whether the Postal Service\n                                and Postal Inspection Service had sufficient controls and\n                                processes in place to efficiently and effectively protect\n                                employees, customers, the mail, and critical assets of the\n                                Postal Service. This report addresses our audit results in\n                                the Capital Metro Area. We will issue subsequent reports\n                                regarding our audit results in other postal areas. We also\n                                plan to review Postal Inspection Service security operations,\n                                including security assessment tools used by the Postal\n                                Service and the Postal Inspection Service.\n\n Results in Brief               The Postal Service and the Postal Inspection Service have\n                                opportunities to improve security controls and processes to\n                                effectively and efficiently protect employees, customers, the\n                                mail, and critical assets. Specifically, Postal Service and\n                                Postal Inspection Service management could strengthen\n                                controls to enhance employee awareness, accountability,\n                                and overall collaboration. For example:\n\n                                \xe2\x80\xa2   Responsible security personnel did not always conduct\n                                    Facility Security Surveys (FSS) accurately and annually\n                                    as required.\n\n                                \xe2\x80\xa2   Management did not always sufficiently address and\n                                    resolve deficiencies identified during security\n                                    assessments.\n\n                                \xe2\x80\xa2   Sixty-seven percent of responsible security personnel\n                                    interviewed did not have security control officer (SCO)\n                                    training.\n\n                                \xe2\x80\xa2   Postal Service management did not effectively assess\n                                    security operations to identify areas for improvement.\n\n\n\n\n                                                 i\n\x0cPostal Service Security Controls and                                          SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n Summary of                     We recommend the Chief Postal Inspector:\n Recommendations\n                                \xe2\x80\xa2   Provide the Area Security Coordinator (ASC) and district\n                                    and facility SCOs with consolidated standard operating\n                                    procedures and guidance to assist them in performing\n                                    their duties and responsibilities consistently and in a\n                                    timely manner.\n\n                                \xe2\x80\xa2   Establish a formal process for conducting FSSs,\n                                    including timeframes for addressing deficiencies and\n                                    follow-up reviews.\n\n                                \xe2\x80\xa2   Establish requirements for mandatory security training,\n                                    including periodic refresher training, for responsible\n                                    security personnel at the area-, district-, and facility-\n                                    levels.\n\n                                We also recommend the Vice President, Capital Metro\n                                Area, in consultation with the Inspector in Charge, Charlotte\n                                Division, and the Inspector in Charge, Washington Division:\n\n                                \xe2\x80\xa2   Require area- and district-level personnel to implement\n                                    internal controls, such as an internal review and\n                                    approval process, to ensure that security personnel\n                                    complete FSSs accurately and in a timely manner.\n\n                                \xe2\x80\xa2   Develop performance measures to assess the\n                                    achievement of security goals.\n\n Summary of                     Management agreed with recommendations 1 through 4\n Management\xe2\x80\x99s                   and stated the following:\n Comments\n                                \xe2\x80\xa2 The Chief Postal Inspector will issue official instruction,\n                                  regulation, and guidance in the Postal Service\xe2\x80\x99s\n                                  Administrative Support Manual. Additionally, the\n                                  network of security personnel in the Inspection Service,\n                                  areas, and districts will reinforce these procedures to\n                                  provide guidance that is more consistent.\n\n                                \xe2\x80\xa2 Management established requirements for completing\n                                  FSSs in a timely manner. Management has also\n                                  established additional procedures for monitoring,\n                                  reviewing, and reporting status of FSSs.\n\n\n\n\n                                                  ii\n\x0cPostal Service Security Controls and                                          SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n                                \xe2\x80\xa2   Management plans to establish a process to include a\n                                    reasonable timeframe for addressing deficiencies and\n                                    conducting follow-up reviews.\n\n                                \xe2\x80\xa2   Management plans to establish requirements for annual\n                                    training.\n\n                                Management partially agreed with recommendation 5 and\n                                stated they recognized the need for program evaluation and\n                                have established program standards to address\n                                performance. However, the Postal Service\xe2\x80\x99s current Pay for\n                                Performance structure only permits security performance\n                                measures for the ASC and not for ad hoc security positions\n                                at the district- and field-levels. The Postal Service\xe2\x80\x99s current\n                                Pay for Performance structure limits managers in assigning\n                                goals and allows only three objectives as performance\n                                measures per position. Because many of the security\n                                positions at the districts and facilities are ad hoc, goals and\n                                objectives assigned focus on primary duties and not ad hoc\n                                duties related to security. Management\xe2\x80\x99s comments, in their\n                                entirety, are included in Appendix C of this report.\n\n Overall Evaluation of          Management\xe2\x80\x99s comments and corrective actions, taken or\n Management\xe2\x80\x99s                   planned, are responsive to recommendations 1 through 4\n Comments                       and should correct the issues identified in the findings.\n\n                                Management\xe2\x80\x99s comments and planned corrective actions\n                                are partially responsive to recommendation 5. We\n                                acknowledge there may be limits to the type of goals and\n                                the number of objectives allowed in the Postal Service\xe2\x80\x99s\n                                current Pay for Performance structure. However, we\n                                believe management could make the necessary\n                                adjustments to their Pay for Performance system to allow\n                                for the establishment of security-related performance\n                                measures for security personnel. We do not plan to pursue\n                                this recommendation through the formal audit resolution\n                                process based on the revisions the Postal Service is\n                                currently making to the field security program. We believe\n                                these changes should allow for improved internal controls.\n\n\n\n\n                                                 iii\n\x0cPostal Service Security Controls and                                                               SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                           INTRODUCTION\n Background                       Postal Inspection Service. The Chief Postal Inspector is the\n                                  chief security officer for the Postal Service. The Postal\n                                  Inspection Service is the security arm of the Postal Service\n                                  and is responsible for protecting an estimated 800,000\n                                  postal employees and approximately 38,000 facilities\n                                  nationwide. The Postal Inspection Service also protects the\n                                  mail, postal assets, and millions of postal customers, and\n                                  provides training and guidance to Postal Service security\n                                  personnel.\n\n                                  The Postal Inspection Service uses various tools and\n                                  processes to assess and ensure the physical security of\n                                  Postal Service employees and assets. The tools and\n                                  processes include Facility Security Surveys (FSS), Facility\n                                  Risk Rating Model (FRRM), and Observation of Mail\n                                  Conditions (OMC). Our audit focused on the FSS.1\n\n                                  Facility Security Surveys. The objectives of FSSs are to\n                                  determine, through on-site inspection and evaluation,\n                                  current facility status and to recommend actions to improve\n                                  security. The FSS, which must be completed annually, is\n                                  an in-depth checklist of 273 yes-or-no questions covering\n                                  physical security areas such as access controls, closed\n                                  circuit televisions (CCTV), key controls, and Registered\n                                  Mail\xe2\x84\xa2 cages. Responsible security officials in the Postal\n                                  Inspection Service and the Postal Service, including postal\n                                  inspectors and security control officers (SCO), complete the\n                                  FSSs.2\n\n                                  Postal Service. The Postal Service, an independent\n                                  establishment of the executive branch of the U.S.\n                                  government, operates like a business and generates $70\n                                  billion in revenue annually.3 Under the Postal\n                                  Reorganization Act, the Postal Service is required to provide\n                                  prompt, reliable, and efficient service to patrons in all areas\n                                  and to render postal services to all communities. In fiscal\n                                  year (FY) 2005, the Postal Service processed and delivered\n                                  over 200 billion pieces of mail.\n\n\n1\n  We will review the FRRM and the OMC program in a separate report on Postal Inspection Service security\noperations and assessment tools.\n2\n  The FSS is an Inspection Service tool. However, FSSs are conducted primarily by Postal Service SCOs.\n3\n  United States Postal Service Annual Report 2005.\n\n\n\n\n                                                        1\n\x0cPostal Service Security Controls and                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n                                The Postal Service faces a variety of security challenges\n                                that require aggressive investigative and preventive\n                                responses. Its ability to protect employees, customers, and\n                                the mail is fundamental to ensuring high-quality, reliable\n                                service. In addition, all Postal Service employees are\n                                responsible for preventing unauthorized individuals from\n                                entering restricted areas. To help manage physical security\n                                concerns, each area has an Area Security Coordinator\n                                (ASC), each district has a District Security Control Officer\n                                (DSCO), and each Postal Service facility has an SCO.\n\n                                \xe2\x80\xa2   The ASC in the Capital Metro Area, a full-time position,\n                                    manages the establishment of the area and district\n                                    security committees and oversees security programs\n                                    and committees to ensure effectiveness and compliance\n                                    with regulations. The ASC also manages the SCO\n                                    program, provides guidance, and serves as the liaison\n                                    between the area, district, and plants for SCO-related\n                                    matters.\n\n                                \xe2\x80\xa2   DSCOs in the Capital Metro Area manage the overall\n                                    district security program; serve as liaison with the Postal\n                                    Inspection Service; manage compliance with security\n                                    policies and procedures, including FSSs; and provide\n                                    security guidance to management. The DSCO is\n                                    generally a collateral position assigned to the district\n                                    manager for emergency preparedness.\n\n                                \xe2\x80\xa2   Facility SCOs serve as the focal point for addressing\n                                    security concerns, help implement security policies, and\n                                    coordinate with the Postal Inspection Service on security\n                                    matters. The SCO is also a collateral position and is\n                                    usually the installation head or a designated manager or\n                                    supervisor. The SCO is required to conduct an FSS\n                                    annually.\n\n Objective, Scope, and          Our objective was to determine whether the Postal Service\n Methodology                    and Postal Inspection Service had sufficient controls and\n                                processes to efficiently and effectively protect postal\n                                employees, customers, the mail, and critical assets of the\n                                Postal Service.\n\n                                To accomplish our objective, we interviewed Postal Service\n                                and Postal Inspection Service officials, including officials\n\n\n\n                                                  2\n\x0cPostal Service Security Controls and                                                                SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                   from the Office of Emergency Preparedness, the ASC for\n                                   the Capital Metro Area, DSCOs, SCOs, and installation\n                                   heads. We also interviewed Inspectors in Charge, team\n                                   leaders, inspectors, and program managers. Additionally,\n                                   we reviewed applicable policies and procedures related to\n                                   Postal Service and Postal Inspection Service physical\n                                   security, including Homeland Security Presidential\n                                   Directives 7 and 12.\n\n                                   We judgmentally sampled Postal Service facilities in the\n                                   Capital Metro Area to conduct audit fieldwork. We reviewed\n                                   security operations and controls at the selected facilities.\n                                   We selected facilities based on square footage, Crimes\n                                   Against Persons and Property (CAP) index,4 and the\n                                   number of employees at each facility. Our sample included\n                                   47 Postal Service facilities (see Appendix A) in the Capital\n                                   Metro Area, including facilities in the District of Columbia,\n                                   Maryland, North Carolina, South Carolina, and Virginia. We\n                                   also conducted fieldwork at Postal Inspection Service\n                                   headquarters, National Law Enforcement Control Center,\n                                   and the Washington and Charlotte Divisions.\n\n                                   We analyzed FSSs and Area Security Assessment Program\n                                   (ASAP) reviews conducted at selected facilities for calendar\n                                   years 2005 and 2006 to determine whether they were\n                                   completed as required and whether management\n                                   appropriately addressed the deficiencies identified. We also\n                                   reviewed training records from the National Training\n                                   Database (NTD) to determine whether key security\n                                   personnel received sufficient physical security training and\n                                   guidance to efficiently and effectively protect employees,\n                                   customers, and Postal Service assets.\n\n                                   We tested and validated computer-generated data from the\n                                   Facility Security Database (FSD), ASAP database, and NTD\n                                   system by comparing data obtained from these databases\n                                   with other source documents, observing facility conditions,\n                                   and discussing the data with appropriate Postal Service\n                                   officials. We consider the data sufficiently reliable to\n                                   support the opinions and conclusions in this report.\n\n                                   We conducted this audit from May 2006 through March\n                                   2007 in accordance with generally accepted government\n4\n The CAP index is a commercially available database the Postal Inspection Service uses to assess risk to Postal\nService property from external elements.\n\n\n\n\n                                                         3\n\x0cPostal Service Security Controls and                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                auditing standards and included such tests of internal\n                                controls as we considered necessary under the\n                                circumstances. We discussed our observations and\n                                conclusions with management officials on November 28 and\n                                December 12, 2006 and included their comments where\n                                appropriate.\n\n Prior Audit Coverage           The Government Accountability Office (GAO) report, U.S.\n                                Postal Service: Physical Security Measures Have\n                                Increased at Some Core Facilities, But Security Problems\n                                Continue (Report Number GAO-05-48, dated November\n                                2004), concluded the Postal Service had established\n                                physical security requirements, such as access control and\n                                exterior lighting, necessary for core facilities to address the\n                                threats of robberies, burglaries, theft, and vandalism.\n\n                                Additionally, implementation of security measures had\n                                increased at some facilities, although security problems still\n                                existed at some core facilities. However, incomplete and\n                                inaccurate data precluded GAO from assessing changes in\n                                the implementation of security measures at core facilities.\n                                Specifically, the Postal Service\xe2\x80\x99s FSD had a number of\n                                problems, such as missing and incomplete data, duplicate\n                                responses, and miscoded facilities. Further, GAO\xe2\x80\x99s visits to\n                                13 core facilities revealed a number of security problems,\n                                including facility keys unaccounted for, unlocked doors,\n                                deactivated alarms, and employees not wearing\n                                identification badges.\n\n                                GAO recommended and management agreed to develop a\n                                plan, with objectives, timeframes, and resources needed, to\n                                correct and update the Postal Service\xe2\x80\x99s FSD so that\n                                management can accurately assess the status of physical\n                                security at core facilities, identify needed improvements,\n                                and assess the progress made at facilities.\n\n\n\n\n                                                 4\n\x0cPostal Service Security Controls and                                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                            AUDIT RESULTS\n    Opportunities Exist to           Capital Metro Area management has opportunities to improve\n    Improve Security                 security controls and processes to effectively and efficiently\n    Controls and                     protect employees, customers, the mail, and critical assets.\n    Processes                        Specifically, management could strengthen controls to\n                                     enhance employee awareness, accountability, and overall\n                                     collaboration. For example:\n\n                                     \xe2\x80\xa2    Responsible security personnel did not always conduct\n                                          FSSs accurately and annually as required.\n\n                                     \xe2\x80\xa2    Management did not always take sufficient action to\n                                          correct deficiencies identified during FSSs.\n\n                                     \xe2\x80\xa2    Sixty-seven percent of responsible security personnel\n                                          interviewed did not have any SCO-related training.\n\n                                     \xe2\x80\xa2    Postal Service management did not effectively assess\n                                          security operations to identify areas for improvement.\n\n    Facility Security                Responsible security personnel did not always complete FSSs\n    Surveys                          accurately or annually, as required by the Postal Service\xe2\x80\x99s\n                                     Administrative Support Manual.5 This occurred because\n                                     Postal Inspection Service management did not establish\n                                     consolidated standard operating procedures and guidance to\n                                     assist security officials in performing their duties and\n                                     responsibilities. Also, Postal Service management did not\n                                     implement appropriate internal and management controls to\n                                     ensure responsible personnel followed policies and\n                                     procedures. When security personnel do not conduct FSSs\n                                     accurately and at least annually, as required, Postal Service\n                                     employees, customers, the mail, and other critical assets are\n                                     exposed to increased risk. Additionally, the Postal Service did\n                                     not take advantage of the opportunity to mitigate risks that\n                                     accurate and timely FSSs would identify.\n\n                                     Accuracy of FSSs. FSSs were not completed accurately at 23\n                                     percent (11 of 47) of the facilities reviewed. For example:\n\n\n\n\n5\n  The Postal Service\xe2\x80\x99s Administrative Support Manual 13 (dated July 1999 and updated with Postal Bulletin revisions\nthrough December 22, 2005) requires SCOs or designees to conduct annual FSSs.\n\n\n\n\n                                                         5\n\x0cPostal Service Security Controls and                                                          SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                   \xe2\x80\xa2    A facility SCO answered \xe2\x80\x9cyes\xe2\x80\x9d to a question regarding\n                                        perimeter fencing when there was no perimeter fencing at\n                                        the facility.\n\n                                   \xe2\x80\xa2    A facility SCO answered \xe2\x80\x9cno\xe2\x80\x9d to a question regarding\n                                        whether the facility had an intrusion detection system.\n                                        However, the facility did have an intrusion detection\n                                        system.\n\n                                   \xe2\x80\xa2    A facility SCO answered \xe2\x80\x9cno\xe2\x80\x9d to a question regarding\n                                        whether the registry cage was enclosed. However, based\n                                        on our observation and discussion with the SCO, the\n                                        registry cage was fully enclosed.\n\n                                   Timeliness of FSSs. At 51 percent (24 of 47) of the facilities\n                                   reviewed, FSSs were not completed annually as required by\n                                   the Administrative Support Manual. (See Appendix B for the\n                                   status of FSSs at facilities reviewed.) SCOs complete the\n                                   FSSs and enter the results into the facility security database.\n                                   SCOs and Postal Service facility managers use FSS results to\n                                   assess the security environment at Postal Service facilities.\n                                   However, there were no internal or management controls\n                                   requiring approval of FSSs to ensure accuracy and timeliness.\n\n                                   According to internal control standards set by GAO, internal\n                                   control activities such as approvals, authorizations, and\n                                   verifications help ensure that management\xe2\x80\x99s directives are\n                                   carried out and actions are taken to address risk.6 When\n                                   SCOs do not complete FSSs as required, Postal Service\n                                   employees, customers, the mail, and other critical assets are\n                                   exposed to increased risk.\n\n    Recommendation                 We recommend the Chief Postal Inspector:\n\n                                   1. Establish and provide consolidated standard operating\n                                      procedures and guidance to the Area Security Coordinator,\n                                      District Security Control Officers, and facility Security\n                                      Control Officers to assist them in performing their duties\n                                      and responsibilities consistently and in a timely manner.\n\n\n6\n Standards for Internal Control in the Federal Government (Report Number GAO/AIMD-00-21.3.1, dated November\n1999).\n\n\n\n\n                                                     6\n\x0cPostal Service Security Controls and                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n Management\xe2\x80\x98s                     Management agreed with our recommendation and stated the\n Comments                         Chief Postal Inspector will issue official instruction, regulation,\n                                  and guidance in the Postal Service\xe2\x80\x99s Administrative Support\n                                  Manual. Additionally, the network of security personnel in the\n                                  Postal Inspection Service, areas, and districts will reinforce\n                                  these procedures to provide guidance that is more consistent.\n                                  In a follow-up memorandum dated March 21, 2007,\n                                  management stated they would complete corrective actions by\n                                  September 30, 2007.\n\n Evaluation of                    Management\xe2\x80\x99s comments and planned corrective actions are\n Management\xe2\x80\x99s                     responsive to the recommendation and should correct the\n Comments                         issues identified in the finding.\n\n Recommendation                   We recommend the Vice President, Capital Metro Area, in\n                                  consultation with the Inspector in Charge, Charlotte Division,\n                                  and the Inspector in Charge, Washington Division:\n\n                                  2. Require area- and district-level personnel to establish and\n                                     implement appropriate internal controls, such as an internal\n                                     review and approval process, to ensure that security\n                                     personnel complete facility security surveys accurately and\n                                     in a timely manner.\n\n Management\xe2\x80\x99s                     Management agreed with our recommendation and stated\n Comments                         they have established requirements for completing FSSs in a\n                                  timely manner. All facilities must have a current facility\n                                  security survey online in the Facility Security Database by\n                                  June 1, 2007. Management has also established additional\n                                  procedures for monitoring, reviewing, and reporting the status\n                                  of FSSs. The ASC is required to monitor and provide quarterly\n                                  reports to each district and conduct security reviews and verify\n                                  the accuracy of FSSs. In a follow-up memorandum dated\n                                  March 21, 2007, management stated they implemented\n                                  corrective actions on August 2, 2006.\n\n Evaluation of                    Management\xe2\x80\x99s comments and corrective actions taken are\n Management\xe2\x80\x99s                     responsive to the recommendation and should correct the\n Comments                         issues identified in the finding.\n\n\n\n\n                                                  7\n\x0cPostal Service Security Controls and                                                                   SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n    Corrective Action on                Management did not always take sufficient corrective action to\n    Security Deficiencies               resolve deficiencies identified during FSSs. This occurred\n    and Follow-up Reviews               because management did not establish internal controls\n                                        requiring formal, written procedures, including timeframes and\n                                        follow-up reviews, to address deficiencies. Specifically, SCOs\n                                        at 40 percent (19 of 47) of the facilities reviewed did not take\n                                        sufficient corrective actions to resolve deficiencies. As a\n                                        result, the Postal Service did not fully mitigate identified\n                                        security deficiencies, and Postal Service employees and\n                                        assets were exposed to increased risk.\n\n                                        For example, at one facility, the SCO identified and reported to\n                                        the Facility Service Office (FSO) that the cyclone fence and\n                                        five facility doors needed repair. These deficiencies were\n                                        initially reported in March 2005. However, as of July 2006, the\n                                        FSO had not taken any action and the SCO had not conducted\n                                        any follow-up regarding these matters.\n\n                                        At another facility the SCO indicated on the FSS dated\n                                        February 22, 2006, that CCTV tapes were not replaced\n                                        annually.7 In a previous survey dated June 15, 2004,8 the FSS\n                                        had documented the same deficiency. We discussed this\n                                        matter with the SCO, who acknowledged that the CCTV tapes\n                                        had not been replaced and that he planned to submit an order.\n\n                                        According to GAO internal control standards, monitoring\n                                        internal controls should include policies and procedures to\n                                        ensure that management resolves findings from reviews.\n                                        Managers are to promptly evaluate findings and deficiencies;\n                                        determine the proper action; and complete, within established\n                                        timeframes, all actions needed to correct the matters brought\n                                        to their attention. The resolution process begins when the\n                                        results of reviews are reported to management, and is\n                                        complete only after management has corrected the\n                                        deficiencies, made improvements, or demonstrated that the\n                                        findings and recommendations do not warrant management\n                                        action.\n\n                                        After FSSs are completed, facility managers and SCOs should\n                                        take corrective actions within an established timeframe.\n                                        Additionally, formal follow-up should be required to ensure\n\n7\n    The Postal Service\xe2\x80\x99s Security Guide FY 2004, stipulates that CCTV tapes are to be replaced after 12 months.\n8\n    The SCO did not complete an FSS for 2005.\n\n\n\n\n                                                           8\n\x0cPostal Service Security Controls and                                                                  SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                      management addresses deficiencies.\n\n    Recommendation                    We recommend the Chief Postal Inspector:\n\n                                      3. Establish and implement a formal process for conducting\n                                         facility security surveys, including timeframes for\n                                         addressing deficiencies and conducting follow-up reviews.\n\n    Management\xe2\x80\x99s                      Management agreed with our recommendation and stated\n    Comments                          they would work with inspectors and security personnel in the\n                                      areas and districts to ensure the required annual security\n                                      surveys are conducted and documented in the Facilities\n                                      Security Database, as the existing process dictates.\n                                      Additionally, as part of the revised security program, Postal\n                                      Inspection Service and Postal Service management will work\n                                      together to establish a reasonable timeframe for addressing\n                                      deficiencies and conducting follow-up reviews. In a follow-up\n                                      memorandum dated March 21, 2007, management stated they\n                                      would implement these corrective actions by September 30,\n                                      2007.\n\n    Evaluation of                     Management\xe2\x80\x99s comments and planned corrective actions are\n    Management\xe2\x80\x99s                      responsive to the recommendation and should correct the\n    Comments                          issues identified in the finding.\n\n    Training                          Security personnel did not receive sufficient and consistent\n                                      training. This occurred because Postal Inspection Service\n                                      management did not establish requirements for mandatory\n                                      training for security personnel. As a result, security personnel\n                                      were not fully aware of their responsibilities and did not have\n                                      the knowledge they needed to perform their duties, and Postal\n                                      Service assets were exposed to increased risk.\n\n                                      According to GAO internal control standards, control activities,\n                                      such as training, should be aimed at developing and retaining\n                                      employees\xe2\x80\x99 skill levels to meet organizational needs.\n                                      Sufficient training is essential to assist responsible security\n                                      personnel with identifying and mitigating security risks.\n\n                                      Sixty-seven percent (439 of 6410) of the security personnel we\n                                      interviewed had not received any SCO-related training.\n\n9\n Of the 43 responsible security officials interviewed who did not have SCO training, 17 were from the Mid-Carolinas,\nGreensboro, and Greater South Carolina Districts. These districts were moved from the Eastern Area to the Capital\nMetro Area effective April 1, 2006.\n\n\n\n\n                                                         9\n\x0cPostal Service Security Controls and                                                        SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                       Additionally, 57 percent (32 of 5611) of security personnel\n                                       stated they needed additional training to effectively perform\n                                       their duties.\n\n                                       Based on the results of our interviews with SCOs, we\n                                       determined that SCOs were not always familiar with the\n                                       applicable Postal Service security criteria, such as Postal\n                                       Service Handbook RE-5, Building and Site Security\n                                       Requirements.\n\n                                       One ASC stated that there was no formal training for the ASC\n                                       position. He stated that he generally relied on his military\n                                       experience to perform his security duties and responsibilities.\n                                       DSCOs and SCOs also stated they were not fully aware of\n                                       their duties and responsibilities and wanted more training to\n                                       effectively conduct their security work.\n\n                                       The Postal Service offers the following training to Postal\n                                       Service officials responsible for security:\n\n                                       E-learning Physical Security Module \xe2\x80\x93 This online course on\n                                       physical security provides an overview of the responsibilities of\n                                       the SCOs. The course can be completed in about 4.5 hours.\n\n                                       SCO Training, Phases I through III \xe2\x80\x93 This is classroom training\n                                       that covers SCO duties and responsibilities and other security\n                                       issues. The phases are specific to the types of facilities and\n                                       the number of employees located at each facility. Specifically:\n\n                                       \xe2\x80\xa2    Phase I is available to SCOs and security personnel at\n                                            core facilities, including headquarters, area offices, district\n                                            offices, processing and distribution centers, and bulk mail\n                                            centers.\n\n                                       \xe2\x80\xa2    Phase II is available to SCOs and security personnel at\n                                            facilities with 26 or more employees.\n\n                                       \xe2\x80\xa2    Phase III is available to SCOs and security personnel at\n                                            facilities with less than 26 employees.\n\n\n\n\n10\n     This figure represents the DSCOs, SCOs, and facility and plant managers interviewed.\n11\n     This figure represents the DSCOs and SCOs interviewed.\n\n\n\n\n                                                          10\n\x0cPostal Service Security Controls and                                                  SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n                                  Although security training was available, Postal Service\n                                  management did not require responsible security personnel at\n                                  the area-, district-, and installation-levels to take the training.\n\n Recommendation                   We recommend the Chief Postal Inspector:\n\n                                  4. Establish requirements for mandatory security training,\n                                     including periodic refresher training, for responsible\n                                     security personnel at the area-, district- and facility-levels.\n\n Management\xe2\x80\x98s                     Management agreed with our recommendation and stated\n Comments                         they will establish requirements for annual training and update\n                                  policy documents (such as the Postal Service\xe2\x80\x99s Administrative\n                                  Support Manual) to reflect this change. Additionally,\n                                  management stated they would include requirements for\n                                  annual training as position requirements for postal inspectors\n                                  and area and district security personnel. In a follow-up\n                                  memorandum dated March 21, 2007, management stated they\n                                  would complete corrective actions by September 30, 2007.\n\n Evaluation of                    Management\xe2\x80\x99s comments and planned corrective actions are\n Management\xe2\x80\x99s                     responsive to recommendation 4 and should correct the issues\n Comments                         identified in the finding.\n\n Performance Measures             Postal Service management did not effectively assess security\n                                  operations to identify areas for improvement. This occurred\n                                  because security personnel did not have appropriate\n                                  performance measures for physical security. Without\n                                  appropriate performance measures, Postal Service\n                                  management does not have reasonable assurance that its\n                                  physical security goals are met to ensure the safeguarding of\n                                  Postal Service employees, customers, the mail, and other\n                                  critical assets.\n\n                                  Specifically, none of the DSCOs and SCOs interviewed had\n                                  security-related performance measures. For example, they\n                                  did not have any performance measures to assess whether\n                                  they had:\n\n                                  \xe2\x80\xa2     Completed FSSs annually.\n\n                                  \xe2\x80\xa2     Taken corrective actions to resolve deficiencies identified\n                                        with security assessment tools.\n\n\n\n\n                                                   11\n\x0cPostal Service Security Controls and                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n                                  \xe2\x80\xa2     Obtained the necessary security training.\n\n                                  \xe2\x80\xa2     Provided security awareness training to employees.\n\n                                  However, the ASC of the Capital Metro Area stated he had\n                                  performance measures to assess his:\n\n                                  \xe2\x80\xa2     Completion of FSSs at all 15 major processing and\n                                        distribution centers.\n\n                                  \xe2\x80\xa2     Completion of 10 to 15 ASAP reviews for each district.\n\n                                  \xe2\x80\xa2     Conduct of Phase I training for SCOs.\n\n                                  Performance measures would help security officials address\n                                  their responsibilities in an operations-driven environment,\n                                  improve management\xe2\x80\x99s ability to assess the performance of its\n                                  security operations, and identify areas for improvement. In\n                                  addition, establishing appropriate performance measures and\n                                  indicators helps ensure that employees accomplish\n                                  management\xe2\x80\x99s directives and organizational objectives.\n\n Recommendation                   We recommend the Vice President, Capital Metro Area, in\n                                  consultation with the Inspector in Charge, Charlotte Division,\n                                  and the Inspector in Charge, Washington Division:\n\n                                  5. Develop appropriate performance measures for physical\n                                     security to assess the achievement of security goals and\n                                     incorporate them into performance plans for area-, district-,\n                                     and field-level security personnel.\n\n Management\xe2\x80\x99s                     Management partially agreed with our recommendation and\n Comments                         stated they recognized the need for program evaluation and\n                                  have established program standards to address performance.\n                                  Management stated they have utilized the ASAP to review\n                                  facilities; established the goal to have all facilities on-line and\n                                  in compliance with the Facility Security Survey by June 1,\n                                  2007; and conducted security reviews at all 26 mail processing\n                                  facilities over the past year. Management stated they\n                                  implemented these corrective actions on August 2, 2006.\n\n                                  However, management stated the Postal Service\xe2\x80\x99s current Pay\n                                  for Performance structure only permits security performance\n\n\n\n\n                                                   12\n\x0cPostal Service Security Controls and                                               SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                  measures for the ASC and not for ad hoc security positions at\n                                  the district- and field-levels. The Postal Service\xe2\x80\x99s current Pay\n                                  for Performance structure limits managers in assigning goals\n                                  and allows only three objectives as performance measures per\n                                  position. Because many of the security positions at the\n                                  district- and field-levels are ad hoc, goals and objectives\n                                  assigned focus on primary duties and not ad hoc duties related\n                                  to security. Until the Postal Service reviews and changes this\n                                  process, managers are limited as to what kind of goals they\n                                  can assign their employees regarding security ad hoc\n                                  responsibilities.\n\n Evaluation of                    Management\xe2\x80\x99s comments and corrective actions taken are\n Management\xe2\x80\x99s                     partially responsive to recommendation 5. We acknowledge\n Comments                         there may be limits to the type of goals and the number of\n                                  objectives allowed in the Postal Service\xe2\x80\x99s current Pay for\n                                  Performance structure. However, we believe management\n                                  could make the necessary adjustments to their Pay for\n                                  Performance system to allow for the establishment of security-\n                                  related performance measures for security personnel. We do\n                                  not plan to pursue this recommendation through the formal\n                                  audit resolution process based on revisions the Postal Service\n                                  is currently making to the field security program. We believe\n                                  these changes should allow for improved internal controls.\n\n\n\n\n                                                13\n\x0cPostal Service Security Controls and                                                     SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n      APPENDIX A. CAPITAL METRO AREA FACILITIES REVIEWED\n                 District                  Facility Name                   City          State\n\n       1   Capital                V Street Facility                   Washington, D.C.\n       2   Capital                Curseen-Morris P&DC                 Washington, D.C.\n       3   Capital                Customs House Station               Washington, D.C.\n       4   Capital                River Terrace Carrier               Washington, D.C.\n       5   Capital                National Capitol                    Washington, D.C.\n       6   Capital                Farragut Station                    Washington, D.C.\n       7   Capital                Ben Franklin Station                Washington, D.C.\n       8   Capital                Carrier Annex                       Silver Spring      MD\n       9   Capital                Southern Maryland P&DC/VMF          Capital Heights    MD\n      10   Capital                Oxon Hill Branch                    Oxon Hill          MD\n      11   Capital                Suitland Branch                     Suitland           MD\n      12   Capital                Bowie Main Office                   Bowie              MD\n      13   Capital                Aspen Hill Retail                   Silver Spring      MD\n      14   Capital                Colesville Station                  Silver Spring      MD\n      15   Capital                Bethesda                            Bethesda           MD\n      16   Northern Virginia      Franconia Station                   Alexandria         VA\n      17   Northern Virginia      Alexandria Trade Center Station     Alexandria         VA\n      18   Northern Virginia      Arlington Temporary Carrier Annex   Arlington          VA\n      19   Northern Virginia      Arlington North Station             Arlington          VA\n      20   Richmond               East End Station                    Richmond           VA\n      21   Richmond               West End                            Richmond           VA\n      22   Richmond               Saunders Station                    Richmond           VA\n      23   Richmond               Richmond P&DC                       Richmond           VA\n      24   Richmond               Norfolk CFS                         Norfolk            VA\n      25   Richmond               Norfolk P&DC/Hampton Roads VMF      Norfolk            VA\n      26   Richmond               Lafayette Station                   Norfolk            VA\n      27   Richmond               Newport News                        Newport News       VA\n      28   Richmond               Acredale Carrier Annex              Virginia Beach     VA\n      29   Greater S. Carolina    Gaffney - Main Office               Gaffney            SC\n      30   Greater S. Carolina    East Bay                            Charleston         SC\n      31   Greater S. Carolina    Pinehaven                           North Charleston   SC\n      32   Greater S. Carolina    Charleston P&DF                     Charleston         SC\n      33   Greater S. Carolina    Columbia Main Office                Columbia           SC\n      34   Greater S. Carolina    Edgewood Station                    Columbia           SC\n      35   Greater S. Carolina    Sumter Main Office                  Sumter             SC\n      36   Greater S. Carolina    Spartanburg Main Office             Spartanburg        SC\n      37   Mid-Carolinas          Derita Branch                       Charlotte          NC\n      38   Mid-Carolinas          Charlotte - CFS Annex               Charlotte          NC\n      39   Mid-Carolinas          Charlotte P&DC                      Charlotte          NC\n      40   Greensboro             Capitol Station                     Raleigh            NC\n      41   Greensboro             Raleigh VMF                         Raleigh            NC\n      42   Greensboro             West Durham Station                 Durham             NC\n      43   Greensboro             Greensboro BMC                      Greensboro         NC\n      44   Greensboro             Greensboro DDC/VMF                  Greensboro         NC\n      45   Greensboro             Century Station                     Raleigh            NC\n      46   Greensboro             Durham Main Station                 Durham             NC\n      47   Greensboro             Spring Valley Station               Greensboro         NC\n\n\n\n\n                                                  14\n\x0cPostal Service Security Controls and                           SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n      Legend\n\n      P&DC              Processing and Distribution Center\n      VMF               Vehicle Maintenance Facility\n      CFS               Computerized Forwarding System\n      P&DF              Processing and Distribution Facility\n      BMC               Bulk Mail Center\n      DDC               Delivery Distribution Center\n\n\n\n\n                                               15\n\x0cPostal Service Security Controls and                                                 SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n         APPENDIX B. STATUS OF FACILITY SECURITY SURVEYS\n\n                                                                              Facility\n                                                                             Security\n                                                                              Survey\n                                                                            Completed\n                     District                    Facility Name               Annually\n\n          1   Capital                   V Street Facility                      No\n          2   Capital                   Washington P&DC                        No\n          3   Capital                   Customs House Station                  Yes\n          4   Capital                   River Terrace Carrier                  No\n          5   Capital                   National Capitol                       Yes\n          6   Capital                   Farragut Station                       No\n          7   Capital                   Ben Franklin Station                   No\n          8   Capital                   Carrier Annex                          No\n          9   Capital                   Southern Maryland P&DC                 No\n         10   Capital                   Oxon Hill Station                      No\n         11   Capital                   Suitland Branch                        No\n         12   Capital                   Bowie Main Office                      No\n         13   Capital                   Aspen Hill Retail                      No\n         14   Capital                   Colesville Station                     No\n         15   Capital                   Bethesda Main Office                   No\n\n         16   Northern Virginia         Franconia Station                      Yes\n         17   Northern Virginia         Alexandria Trade Center Station        Yes\n         18   Northern Virginia         Arlington Temporary Carrier Annex      Yes\n         19   Northern Virginia         Arlington North Station                Yes\n\n         20   Richmond                  East End Station                       Yes\n         21   Richmond                  West End                               Yes\n         22   Richmond                  Saunders Station                       No\n         23   Richmond                  Richmond P&DC                          No\n         24   Richmond                  Norfolk CFS                            No\n         25   Richmond                  Lafayette Station                      Yes\n         26   Richmond                  Newport News                           No\n         27   Richmond                  Acredale Carrier Annex                 No\n         28   Richmond                  Norfolk P&DC                           No\n\n         29   Greater S. Carolina       Gaffney Main Office                    Yes\n         30   Greater S. Carolina       East Bay                               Yes\n         31   Greater S. Carolina       Pinehaven                              Yes\n         32   Greater S. Carolina       Charleston P&DF                        Yes\n         33   Greater S. Carolina       Columbia Main Office                   Yes\n         34   Greater S. Carolina       Edgewood Station                       Yes\n         35   Greater S. Carolina       Sumter Main Office                     Yes\n         36   Greater S. Carolina       Spartanburg Main Office                Yes\n\n         37   Mid-Carolinas             Derita Branch                          No\n         38   Mid-Carolinas             Charlotte \xe2\x80\x93 CFS Annex                  No\n\n\n\n\n                                                   16\n\x0cPostal Service Security Controls and                                     SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n                                                                  Facility\n                                                                 Security\n                                                                  Survey\n                                                                Completed\n                     District                   Facility Name    Annually\n         39   Mid-Carolinas             Charlotte P&DC             No\n\n         40   Greensboro                Capitol Station            Yes\n         41   Greensboro                Raleigh VMF                Yes\n         42   Greensboro                West Durham Station        No\n         43   Greensboro                Greensboro BMC             Yes\n         44   Greensboro                Greensboro DDC/VMF         Yes\n         45   Greensboro                Century Station            No\n         46   Greensboro                Durham Main Station        Yes\n         47   Greensboro                Spring Valley Station      Yes\n\n\n\n        Legend\n\n        P&DC            Processing and Distribution Center\n        VMF             Vehicle Maintenance Facility\n        CFS             Computerized Forwarding System\n        P&DF            Processing and Distribution Facility\n        BMC             Bulk Mail Center\n        DDC             Delivery Distribution Center\n\n\n\n\n                                                   17\n\x0cPostal Service Security Controls and                   SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                   APPENDIX C. MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                        18\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        19\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        20\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        21\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        22\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        23\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        24\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        25\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        26\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        27\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        28\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        29\n\x0cPostal Service Security Controls and         SA-AR-07-002\n Processes for the Capital Metro Area\n\n\n\n\n                                        30\n\x0c'